With reproductive rights under fire, we might look to the EU for inspiration on keeping data private
In June, after the Supreme Court overturned Roe v. Wade, there was a call for women and people who menstruate to delete the apps on their phones that they used to track their periods. There was a risk, the thinking went, that now that abortion was illegal for millions of people in the United States, if the tech companies that controlled the data detailing an individual’s menstrual cycles could be subpoenaed, and forced to hand the data over, that the data could then be used as evidence—if there was, say, an interruption in the cycle—that someone had been pregnant, and that the pregnancy had ended.
Since the Dobbs ruling, so-called Femtech developers have been making their privacy policies more transparent, and modifying their apps to give users the option to remain anonymous. Still, some users have been deleting such apps and going back to tracking their cycles via paper and pencil. The House of Representatives introduced the My Body, My Data Act, which was meant to protect reproductive and sexual health data, but the bill stalled out. Until such legislation protecting users’ private data is enacted, it’s up to individuals to safeguard themselves, and for tech companies to enable them to do so.
The companies that make the apps that collect our data have a good reason for doing so. Our data—where we are, what we buy, what we search for and yes, whether or not we are menstruating or pregnant—is a valuable commodity. Knowing so much about us allows companies to recognize patterns and predict trends in consumer behavior and thinking. This data is so valuable, in fact, that there is an entire, largely unregulated data brokerage industry in which middlemen buy and sell consumer data from and to companies, all to the tune of some $200 billion or more each year. With so many profitable reasons for companies to bring our data to market, there’s not much incentive for tech companies to keep our information private.
Now, post-Dobbs, that data can be used not just to put advertisements in front of certain users, but to prosecute those users. To help combat the concerns of private data being used as evidence of having an abortion, some have decided to flood period apps with phony data to obscure real information—though this is, reportedly, ineffective. Others have encouraged users to download apps based in the European Union—which, with its General Data Protection Regulation (GDPR), is further ahead of the U.S. on privacy matters—based on the logic that it is more difficult for European companies to be subpoenaed by U.S. state governments. The EU calls its privacy law “the toughest . . . in the world,” and imposes stiff penalties on those who violate it. Indeed, the GDPR establishes provisions on, among other things, informed consent and data transparency, and limits the purposes for which data is collected. Americans who use period apps based in the EU, which must follow GDPR standards, may indeed feel a bit more protected.
However, Article 49(1)(e) of the GDPR still allows EU companies to share data to establish or defend legal claims, and if a European-based company stores its data outside the EU, that data may be subject to different standards. Moreover, GDPR doesn’t prohibit the buying and selling of users’ data. So, even the savviest American users can’t rely on “the toughest” privacy laws in the world to protect their data, particularly as most companies still see a business case for selling that data.
One way, then, to compel app-makers to prioritize their users’ privacy could be to make it clearly in their business interest, as a competitive advantage. There are already good examples. Some period apps that promised better privacy policies than their competitors saw a surge in downloads after the Dobbs ruling, demonstrating the explicit consumer desire—and a business case—for improved user privacy. And leading tech companies like Apple have shown that enhanced privacy features are, in fact, a major selling point. More app-makers could stand to learn by these examples: using end-to-end encryption, collecting only the minimum information needed, providing an option to only allow data to be stored locally on one’s device rather than in the cloud, and limiting third-party sharing.
Americans are living in an era when certain longstanding rights to privacy are suddenly at risk of being—and in some cases, already have been—removed. At the same time, we are living in an era when more and more of our data is controlled not by us, the users, but by the companies that make the apps we use. It is not simply those who menstruate who are affected, either. Post-Dobbs, the rights of transgender people, married gay people, and those who use contraception are also potentially at risk. In today’s increasingly digital world, until privacy protection laws are cemented into place, consumer privacy won’t be assured unless consumers can effectively take the steps they need to take to protect their data. Tech companies might view this as a burden, but there will likely be profits for those companies that see it, instead, as an opportunity.
Mary Lee is a mathematician at the nonprofit, nonpartisan RAND Corporation.
(31)